<div dir="ltr"><div><div><div><div><div><div><div>Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid.<br><br></div>Running FreeBSD with a single interface with Squid-3.5.2 <br><br>Policy based routing on Cisco with the following:<br><p class="MsoNormal"><span style="color:rgb(0,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""><br></span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif"">interface GigabitEthernet0/0/1.1</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> encapsulation dot1Q 1 native</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> ip address 10.0.0.9 255.255.255.0</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> no ip redirects</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> no ip unreachables</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> ip nat inside</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> standby 1 ip 10.0.0.10</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> standby 1 priority 120</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> standby 1 preempt</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> standby 1 name HSRP</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> ip policy route-map CFLOW</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> </span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif"">ip access-list extended REDIRECT</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> deny   tcp host 10.0.0.24 any eq www</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> permit tcp host 10.0.0.23 any eq www</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> </span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif"">route-map CFLOW permit 10</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> match ip address REDIRECT</span></span></p><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> set ip next-hop 10.0.0.24<br><br></span></span></div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">In my /etc/pf.conf<br>rdr pass inet proto tcp from <a href="http://10.0.0.0/8">10.0.0.0/8</a> to any port 80 -> 10.0.0.24 port 3129<br><br># block in<br>pass in log quick on bge0<br>pass out log quick on bge0<br>pass out keep state<br><br></font></span></div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">and finally in my squid.conf:<br>http_port 3128<br>http_port 3129 intercept<br><br><br><br></font></span></div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">And for testing purposes from the squid server:<br> ./squidclient -h 10.0.0.24 -p 3128 <a href="http://www.freebsd.org/">http://www.freebsd.org/</a><br></font></span></div><div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000"><br></font></span></div><div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites.<br></font></span></div><div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000"><br>tcpdump with (-p 3128)<br><br>13:15:02.681106 IP ISN-PHC-CACHE.44017 > wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797 ecr 1054387720], length 0<br>13:15:02.681421 IP wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448<br>13:15:02.681575 IP wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448<br><br><br><br></font></span></div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">Did I miss anything?<br><br></font></span></div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">Thanks<br></font></span></div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">Monah<br></font></span><div><div><div><div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000"><br></font></span></div></div></div></div></div>